// Copyright (c) 2011 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#include "net/base/net_errors.h"
#include "net/http/http_auth_challenge_tokenizer.h"
#include "net/http/http_auth_sspi_win.h"
#include "net/http/mock_sspi_library_win.h"
#include "testing/gtest/include/gtest/gtest.h"

namespace net {

namespace {

    void MatchDomainUserAfterSplit(const std::wstring& combined,
        const std::wstring& expected_domain,
        const std::wstring& expected_user)
    {
        std::wstring actual_domain;
        std::wstring actual_user;
        SplitDomainAndUser(combined, &actual_domain, &actual_user);
        EXPECT_EQ(expected_domain, actual_domain);
        EXPECT_EQ(expected_user, actual_user);
    }

    const ULONG kMaxTokenLength = 100;

    void UnexpectedCallback(int result)
    {
        // At present getting tokens from gssapi is fully synchronous, so the callback
        // should never be called.
        ADD_FAILURE();
    }

} // namespace

TEST(HttpAuthSSPITest, SplitUserAndDomain)
{
    MatchDomainUserAfterSplit(L"foobar", L"", L"foobar");
    MatchDomainUserAfterSplit(L"FOO\\bar", L"FOO", L"bar");
}

TEST(HttpAuthSSPITest, DetermineMaxTokenLength_Normal)
{
    SecPkgInfoW package_info;
    memset(&package_info, 0x0, sizeof(package_info));
    package_info.cbMaxToken = 1337;

    MockSSPILibrary mock_library;
    mock_library.ExpectQuerySecurityPackageInfo(L"NTLM", SEC_E_OK, &package_info);
    ULONG max_token_length = kMaxTokenLength;
    int rv = DetermineMaxTokenLength(&mock_library, L"NTLM", &max_token_length);
    EXPECT_EQ(OK, rv);
    EXPECT_EQ(1337u, max_token_length);
}

TEST(HttpAuthSSPITest, DetermineMaxTokenLength_InvalidPackage)
{
    MockSSPILibrary mock_library;
    mock_library.ExpectQuerySecurityPackageInfo(L"Foo", SEC_E_SECPKG_NOT_FOUND,
        NULL);
    ULONG max_token_length = kMaxTokenLength;
    int rv = DetermineMaxTokenLength(&mock_library, L"Foo", &max_token_length);
    EXPECT_EQ(ERR_UNSUPPORTED_AUTH_SCHEME, rv);
    // |DetermineMaxTokenLength()| interface states that |max_token_length| should
    // not change on failure.
    EXPECT_EQ(100u, max_token_length);
}

TEST(HttpAuthSSPITest, ParseChallenge_FirstRound)
{
    // The first round should just consist of an unadorned "Negotiate" header.
    MockSSPILibrary mock_library;
    HttpAuthSSPI auth_sspi(&mock_library, "Negotiate",
        NEGOSSP_NAME, kMaxTokenLength);
    std::string challenge_text = "Negotiate";
    HttpAuthChallengeTokenizer challenge(challenge_text.begin(),
        challenge_text.end());
    EXPECT_EQ(HttpAuth::AUTHORIZATION_RESULT_ACCEPT,
        auth_sspi.ParseChallenge(&challenge));
}

TEST(HttpAuthSSPITest, ParseChallenge_TwoRounds)
{
    // The first round should just have "Negotiate", and the second round should
    // have a valid base64 token associated with it.
    MockSSPILibrary mock_library;
    HttpAuthSSPI auth_sspi(&mock_library, "Negotiate",
        NEGOSSP_NAME, kMaxTokenLength);
    std::string first_challenge_text = "Negotiate";
    HttpAuthChallengeTokenizer first_challenge(first_challenge_text.begin(),
        first_challenge_text.end());
    EXPECT_EQ(HttpAuth::AUTHORIZATION_RESULT_ACCEPT,
        auth_sspi.ParseChallenge(&first_challenge));

    // Generate an auth token and create another thing.
    std::string auth_token;
    EXPECT_EQ(OK, auth_sspi.GenerateAuthToken(NULL, "HTTP/intranet.google.com", std::string(), &auth_token, base::Bind(&UnexpectedCallback)));

    std::string second_challenge_text = "Negotiate Zm9vYmFy";
    HttpAuthChallengeTokenizer second_challenge(second_challenge_text.begin(),
        second_challenge_text.end());
    EXPECT_EQ(HttpAuth::AUTHORIZATION_RESULT_ACCEPT,
        auth_sspi.ParseChallenge(&second_challenge));
}

TEST(HttpAuthSSPITest, ParseChallenge_UnexpectedTokenFirstRound)
{
    // If the first round challenge has an additional authentication token, it
    // should be treated as an invalid challenge from the server.
    MockSSPILibrary mock_library;
    HttpAuthSSPI auth_sspi(&mock_library, "Negotiate",
        NEGOSSP_NAME, kMaxTokenLength);
    std::string challenge_text = "Negotiate Zm9vYmFy";
    HttpAuthChallengeTokenizer challenge(challenge_text.begin(),
        challenge_text.end());
    EXPECT_EQ(HttpAuth::AUTHORIZATION_RESULT_INVALID,
        auth_sspi.ParseChallenge(&challenge));
}

TEST(HttpAuthSSPITest, ParseChallenge_MissingTokenSecondRound)
{
    // If a later-round challenge is simply "Negotiate", it should be treated as
    // an authentication challenge rejection from the server or proxy.
    MockSSPILibrary mock_library;
    HttpAuthSSPI auth_sspi(&mock_library, "Negotiate",
        NEGOSSP_NAME, kMaxTokenLength);
    std::string first_challenge_text = "Negotiate";
    HttpAuthChallengeTokenizer first_challenge(first_challenge_text.begin(),
        first_challenge_text.end());
    EXPECT_EQ(HttpAuth::AUTHORIZATION_RESULT_ACCEPT,
        auth_sspi.ParseChallenge(&first_challenge));

    std::string auth_token;
    EXPECT_EQ(OK, auth_sspi.GenerateAuthToken(NULL, "HTTP/intranet.google.com", std::string(), &auth_token, base::Bind(&UnexpectedCallback)));
    std::string second_challenge_text = "Negotiate";
    HttpAuthChallengeTokenizer second_challenge(second_challenge_text.begin(),
        second_challenge_text.end());
    EXPECT_EQ(HttpAuth::AUTHORIZATION_RESULT_REJECT,
        auth_sspi.ParseChallenge(&second_challenge));
}

TEST(HttpAuthSSPITest, ParseChallenge_NonBase64EncodedToken)
{
    // If a later-round challenge has an invalid base64 encoded token, it should
    // be treated as an invalid challenge.
    MockSSPILibrary mock_library;
    HttpAuthSSPI auth_sspi(&mock_library, "Negotiate",
        NEGOSSP_NAME, kMaxTokenLength);
    std::string first_challenge_text = "Negotiate";
    HttpAuthChallengeTokenizer first_challenge(first_challenge_text.begin(),
        first_challenge_text.end());
    EXPECT_EQ(HttpAuth::AUTHORIZATION_RESULT_ACCEPT,
        auth_sspi.ParseChallenge(&first_challenge));

    std::string auth_token;
    EXPECT_EQ(OK, auth_sspi.GenerateAuthToken(NULL, "HTTP/intranet.google.com", std::string(), &auth_token, base::Bind(&UnexpectedCallback)));
    std::string second_challenge_text = "Negotiate =happyjoy=";
    HttpAuthChallengeTokenizer second_challenge(second_challenge_text.begin(),
        second_challenge_text.end());
    EXPECT_EQ(HttpAuth::AUTHORIZATION_RESULT_INVALID,
        auth_sspi.ParseChallenge(&second_challenge));
}

} // namespace net
